How to create a Cisco ACL to protect your business from being SPAM blacklisted

As the mantra says: prevention is better than cure. This is particularly so when it comes to being blacklisted for SPAM. Cleaning up after being listed can take days, and in the mean time you’ll find your client’s email being rejected by various mail servers and basically becoming very unreliable.

While Antivirus for your supported computers and SPAM protection for your mail server will go a long way to preventing blacklisting it’s not the be all and end all. This is especially the case if you need to allow third party access to your network. Usually you have little to no control of these computers.

In these cases it may be best to disable outbound access to SMTP (port 25) for all computers except the trusted mail server. To achieve this on a Cisco router you’ll need to setup an ip access-list. To configure an ip access-list in IOS do the following:

conf t
ip access-list extended LAN_IN
permit tcp host any eq smtp
deny tcp any any eq smtp log
permit ip any any

In this example is the ip address of the trusted mail server. When determining access the list is read top down. If a line matches the source and destination of the attempted connection then that access (ie permit or deny) is applied and the access list isn’t read any further.
So with this in mind this is why the first action on line 3 is to permit access for the mail server to any destination for SMTP traffic . Then on line 4 we deny access from all other sources to any destination for SMTP traffic. Finally we specifically allow all other traffic.

The next step is to apply the ip access list to your gateway interface. For example if your gateway address for your network is then identify the interface this is applied to (using the command show conf) and enter the following commands.

conf t
interface Vlan1
ip access-group LAN_IN in

In this example the gateway address was applied to interface Vlan1. Line 3 applies the new access list to the interface. You may be wondering why we indicate “in” and not “out” as we are trying to prevent outbound access to port 25. The reason is because the access request from the internal computers are coming “in” on the gateway address.

Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • Facebook
  • Twitter
  • Google Bookmarks

Leave a Reply

Your email address will not be published. Required fields are marked *